EasyManua.ls Logo

Alcatel-Lucent AOS-W 6.5.3.x - Page 348

Alcatel-Lucent AOS-W 6.5.3.x
1160 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Client Operating
System
Supported Suite-B
IKE Authentication
Supported Suite-B IPsec
Encryption
n Windows client
NOTE: Windows client
operating system includes
Windows XP and later
versions.
n IKEv1 Clients using ECDSA
Certificates
n IKEv1/IKEv2 Clients using ECDSA
Certificates with L2TP/PPP/EAP-TLS
certificate user-authentication
n AES-128-GCM
n AES-256-GCM
Table 81: Client Support for Suite-B
The Suite-B algorithms described in Table 80 are also supported by Site-to-Site VPNs between Alcatel-Lucent
switches, or between an Alcatel-Lucent switch and a server running Windows 2008 or StrongSwan 4.3.
Working with IKEv2 Clients
Not all clients support both the IKEv1 and IKEv2 protocols. Only the clients in Table 82 support IKEv2 with the
following authentication types:
Windows Client StrongSwan 4.3 Client AOS-W VIA Client
n Machine authentication
with Certificates
n User name password
authentication using EAP-
MSCHAPv2 or PEAP-
MSCHAPv2
n User smart-card
authentication with EAP-
TLS / IKEv2
NOTE: Windows clients using
IKEv2 do not support pre-
shared key authentication.
NOTE: Windows client
operating system includes
Windows 7 and later versions.
n Machine authentication
with Certificates
n User name password
authentication using EAP-
MSCHAPv2
n Suite-B cryptographic
algorithms
n Machine authentication with
Certificates
n User name password authentication
using EAP-MSCHAPv2
n EAP-TLS using Microsoft cert
repository
NOTE: AOS-W VIA clients using IKEv2 do
not support pre-shared key
authentication.
Table 82: VPN Clients Supporting IKEv2
Support for AOS-W VIA-Published Subnets
Starting from AOS-W 6.5, a new feature is introduced in switches to support IKEv2 configuration (CFG_SET)
payload for AOS-W VIA clients. This is in conformation with section 3.15 of RFC 5996 applicable for route-
based VPNs. This feature is disabled by default.
When this feature is enabled, switches can accept CFG_SET message with the INTERNAL_IP4_SUBNET attribute
type. When a switch receives this message, which consists of an IP address and netmask, it adds an entry to the
datapath route table that points to the AOS-W VIA’s inner IP address as the next-hop. The datapath route-
cache for the AOS-W VIA’s inner IP will point to the tunnel endpoint associated with the AOS-W VIA.
Enabling Support for AOS-W VIA-Published Subnets
In the WebUI
To enable this feature in the switch, perform the following steps in the WebUI:
1. Navigate to Configuration > Advanced Services > VPN Services > IPSEC.
2. Select the Allow AOS-W VIA to push subnets check box under L2TP and XAUTH Parameters.
3. Click Apply.
AOS-W 6.5.3.x | User Guide Virtual Private Networks | 348

Table of Contents